IP Source Guard dropping DHCP Offers

Unanswered Question
Mar 25th, 2008


I have a problem with IP Source Guard on a Catalyst 3750 switch running 12.2.40SE IOS.

I've configured port-security, DHCP Snooping and DAI and they all work as expected.

However when it comes to IP Source Guard, things don't work as I expected... when a DHCP lease expires because a user has switched their machine off for a number of days, the Snooping binding is removed and IP source Guard then blocks the port. When the user switches the PC on again, I can see the DHCP request and a reply gets generated but the offer gets dropped because there is no Snooping binding!

One thing to note is that the DHCP server is on the switch itself and not on a port.

Does anyone know if this is the correct behaviour???


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Istvan_Rabai Wed, 03/26/2008 - 23:41

Hi Steve,

I don't have experience with the situation where the DHCP server is on the same switch.

But the problem with the ip source guard probably can be solved with the following configuration:

conf t

ip dhcp snooping

ip dhcp snooping vlan x,y,z

ip dhcp snooping information option.

The DHCP offer is dropped because the switch does not know which port to forward the dhcp offer to.

Information option helps solve this problem.

Try this and please inform me if this is successful.

Thank you:


steve_mils Thu, 03/27/2008 - 01:39

Hi Istvan,

Thanks for your advice: I have that config in place. I'm using port security, dhcp snooping, dynamic arp inspection and ip source guard - proper switch security ;-)

I've spent the last 2 days figuring out what's happening and I've found that it's a bug in 12.2.40SE. I've tried the same config using 12.2.35SE2, 12.2.44SE and 12.2.44SE1 and they all behave as expected.

Here is the relevant config:

ip dhcp excluded-address


ip dhcp pool Users



lease 0 0 5


ip dhcp snooping vlan 2

ip dhcp snooping database tftp://

ip dhcp snooping

ip arp inspection vlan 2

interface GigabitEthernet1/0/4

description Laptop

switchport access vlan 2

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security aging type inactivity

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source port-security

ip dhcp snooping limit rate 10


interface Vlan2

ip address

no ip redirects

no ip unreachables

no ip proxy-arp


The lease time is so long for testing purposes; and option 82 is enabled by default so the command is not displayed in the running config.

Thanks, Steve

Istvan_Rabai Thu, 03/27/2008 - 10:45

Thank you Steve,

I think this explains the abnormal behavior.

It is good you provided this info, because during the day I was thinking several times about this problem. Now, my mind will be freed from this :)



steve_mils Thu, 03/27/2008 - 13:04

Ha! I know that feeling very well. Issues like this one make me doubt my understanding. I automatically think I've configured things wrongly or not understood something when all along it's a bug!

Thanks, Steve


This Discussion